PULSE
LIVE17signals / 24h
FEED
ransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Foundransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Found
← All CVEs
CVE WatchJul 15, 2026

CVE-2026-61451

The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api

CVSS

9.6

Critical

EPSS

0.2%

p16

KEV

Exploit Today

5

0-100

Published: Jul 15, 2026 · Last modified: Jul 15, 2026 · CWE-601

EPSS · 30d
0.2%EPSS · 30 days0.2%
2026-07-162026-07-19
Technical description

The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function only checks that the URL scheme is http/https and never verifies the host against the server's own origin, so an attacker can supply an arbitrary host. As a result, an unauthenticated attacker can cause the password reset email sent to a victim to contain a reset link pointing at an attacker-controlled server; when the victim follows the link, the valid reset token is disclosed to the attacker, enabling full account takeover. The vulnerable base URL can also be influenced via the Referer or Origin headers.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2021-365806.1 MED
71.9%
22Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the referer parameter.11d
CVE-2022-274616.1 MED
48.2%
14In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.11d
CVE-2026-411069.3 CRI
41.3%
12Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.12d
CVE-2026-149024.0 MED
40.3%
12An open redirect in Ivanti Xtraction before version 2026.2.1 allows a remote unauthenticated attacker to redirect users to arbitrary external URLs.4d
CVE-2025-686167.5 HIG
39.6%
12WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.5d
CVE-2026-75048.1 HIG
39.5%
12A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.5d